Commit 85b14c91 authored by intrigeri's avatar intrigeri
Browse files

Merge branch 'bugfix/12092-kill-gdm-session-after-login-squashed' into devel...

Merge branch 'bugfix/12092-kill-gdm-session-after-login-squashed' into devel (Fix-committed: #12092)
parents 02ea848c edc71c6f
#!/bin/sh
set -e
set -u
echo "Enable GDM debug logs"
sed --in-place --regexp-extended \
's/^#Enable=true$/Enable=true/' /etc/gdm3/daemon.conf
...@@ -27,6 +27,7 @@ systemctl --global enable tails-add-GNOME-bookmarks.service ...@@ -27,6 +27,7 @@ systemctl --global enable tails-add-GNOME-bookmarks.service
systemctl --global enable tails-additional-software-install.service systemctl --global enable tails-additional-software-install.service
systemctl --global enable tails-configure-keyboard.service systemctl --global enable tails-configure-keyboard.service
systemctl --global enable tails-create-tor-browser-directories.service systemctl --global enable tails-create-tor-browser-directories.service
systemctl --global enable tails-kill-gdm-session.service
systemctl --global enable tails-security-check.service systemctl --global enable tails-security-check.service
systemctl --global enable tails-upgrade-frontend.service systemctl --global enable tails-upgrade-frontend.service
systemctl --global enable tails-virt-notify-user.service systemctl --global enable tails-virt-notify-user.service
......
amnesia ALL = NOPASSWD: /usr/local/lib/tails-kill-gdm-session ""
#!/bin/sh
# tails-kill-gdm-session renames this script to /usr/lib/gdm3/gdm-session-worker
# before it kills Debian-gdm's GNOME session. And then, whenever GDM tries
# to start a new session worker, this script will only allow it to do so if
# that's for reauthentication purposes, i.e. to unlock the screen.
# Otherwise, we return exit code 0, so that GDM does not start a full-blown
# GNOME session that would uselessly eat hundreds of MB of memory.
# No "set -e" because we need to capture the exit status of gdm-session-worker.real.
# No "set -u" because we need to check an environment variable that may
# not be set: $GDM_SESSION_FOR_REAUTH.
if [ "$GDM_SESSION_FOR_REAUTH" = 1 ]; then
# Use "exec" so that real worker gets the same PID as this script,
# otherwise GDM's find_conversation_by_pid will fail to find the
# corresponding conversation, log "GdmSession: New worker
# connection is from unknown source", ignore the worker's query,
# and as a result unlocking the script will fail.
exec /usr/lib/gdm3/gdm-session-worker.real "$@"
else
exit 0
fi
[Unit]
Description=Terminate the GDM session to free the corresponding memory
Documentation=https://tails.boum.org/contribute/design/
ConditionUser=1000
[Service]
Type=oneshot
ExecStart=/usr/bin/sudo /usr/local/lib/tails-kill-gdm-session
RemainAfterExit=yes
[Install]
WantedBy=desktop.target
#!/bin/sh
# Terminate GDM's GNOME session, in order to free a few hundreds of MB
# of memory. This script is run by the tails-kill-gdm-session.service
# under "systemd --user", during the "Applications" phase of the
# initialization of the amnesia user's GNOME session.
set -e
set -u
set -x
# Get LIVE_USERNAME
. /etc/live/config.d/username.conf
# Returns the identifier of the first X11 session of $LIVE_USERNAME.
# In this context, we know that:
# - There is one such session: we're run via desktop.target, which is started
# after GDM has logged in $LIVE_USERNAME and pam_systemd has allocated them
# a logind session.
# - There's no more than one such session: our Greeter/GDM integration code
# allows only one graphical login. Note that there can be other,
# non-graphical sessions: for example, when
# tails-virt-notify-user is running at the same time as we are.
# That's why we're looking specifically for sessions of type 'x11'.
live_user_logind_x_session_id() {
# The value of the Sessions property is a space-separated list
# of session identifiers
for session in $(loginctl --property=Sessions --value show-user "$LIVE_USERNAME"); do
if [ "$(loginctl --property=Type --value show-session "$session")" = 'x11' ]; then
loginctl --property=Id --value show-session "$session"
return 0
fi
done
echo "Unexpected error: no X11 session for ${LIVE_USERNAME}" >&2
return 1
}
logind_session_tty_number() {
session="$1"
loginctl --property=TTY --value show-session "$session" \
| sed -E 's,^tty,,'
}
# Replace gdm-session-worker with a version that won't start new
# sessions, except for reauthentication, i.e. for unlocking
# the screen.
mv /usr/lib/gdm3/gdm-session-worker /usr/lib/gdm3/gdm-session-worker.real
cp -a /usr/lib/gdm3/gdm-session-worker-only-reauth \
/usr/lib/gdm3/gdm-session-worker
# Kill GDM's gdm-session-worker: it's the parent process for all
# Debian-gdm processes, such as gdm-x-session; it would otherwise
# respawn another gdm-x-session after we've killed the first one.
pkill -u root --full --exact 'gdm-session-worker \[pam/gdm-launch-environment\]'
# Forcibly kill the Debian-gdm GNOME session,
# in case the former command was not enough.
loginctl --signal SIGKILL kill-user Debian-gdm || true
loginctl terminate-user Debian-gdm || true
# Activate the amnesia user's desktop session, in case we've killed
# the Debian-gdm session before GDM had time to do so; do this
# repeatedly for about 10 seconds, in case GDM take back control of
# the seat and switches back to VT1, after we've already activated
# amnesia's session and switched to VT2, because its own session was killed.
# Note that it may happen that GDM switches to VT1 while
# "loginctl --property=State --value show-user amnesia" still returns "active":
# disabling gdm-session-worker makes GDM confuse logind, that believes amnesia's
# desktop session is still active while we've switched to another VT.
tries=0
while [ $tries -lt 10 ]; do
LIVE_USER_LOGIND_X_SESSION_ID="$(live_user_logind_x_session_id)"
chvt "$(logind_session_tty_number "$LIVE_USER_LOGIND_X_SESSION_ID")"
loginctl activate "$LIVE_USER_LOGIND_X_SESSION_ID"
tries="$(expr "$tries" + 1)"
sleep 1
done
--- a/etc/xdg/autostart/spice-vdagent.desktop 2018-05-17 16:26:33.000000000 +0200
+++ b/etc/xdg/autostart/spice-vdagent.desktop 2019-08-14 10:25:08.000000000 +0200
@@ -5,5 +5,5 @@
Terminal=false
Type=Application
Categories=
-X-GNOME-Autostart-Phase=Initialization
+X-GNOME-Autostart-Phase=WindowManager
NoDisplay=true
...@@ -10,17 +10,7 @@ Feature: Additional software ...@@ -10,17 +10,7 @@ Feature: Additional software
# dependencies (which are documented below). # dependencies (which are documented below).
Scenario: I am warned I can not use Additional Software when I start Tails from a DVD and install a package Scenario: I am warned I can not use Additional Software when I start Tails from a DVD and install a package
Given a computer Given I have started Tails from DVD and logged in with an administration password and the network is connected
And the computer has 2650 MiB of RAM
And the network is unplugged
And I start the computer
And the computer boots Tails
And I set an administration password
And I log in to a new session
And the network is plugged
And Tor is ready
And all notifications have disappeared
And available upgrades have been checked
And I update APT using apt And I update APT using apt
When I install "sslh" using apt When I install "sslh" using apt
Then I am notified I can not use Additional Software for "sslh" Then I am notified I can not use Additional Software for "sslh"
......
...@@ -48,10 +48,6 @@ Given /^a computer$/ do ...@@ -48,10 +48,6 @@ Given /^a computer$/ do
$vm = VM.new($virt, VM_XML_PATH, $vmnet, $vmstorage, DISPLAY) $vm = VM.new($virt, VM_XML_PATH, $vmnet, $vmstorage, DISPLAY)
end end
Given /^the computer has (\d+) ([[:alpha:]]+) of RAM$/ do |size, unit|
$vm.set_ram_size(size, unit)
end
Given /^the computer is set to boot from the Tails DVD$/ do Given /^the computer is set to boot from the Tails DVD$/ do
$vm.set_cdrom_boot(TAILS_ISO) $vm.set_cdrom_boot(TAILS_ISO)
end end
......
...@@ -394,16 +394,6 @@ class VM ...@@ -394,16 +394,6 @@ class VM
return list return list
end end
def set_ram_size(size, unit = "KiB")
raise "System memory can only be added to inactive vms" if is_running?
domain_xml = REXML::Document.new(@domain.xml_desc)
domain_xml.elements['domain/memory'].text = size
domain_xml.elements['domain/memory'].attributes['unit'] = unit
domain_xml.elements['domain/currentMemory'].text = size
domain_xml.elements['domain/currentMemory'].attributes['unit'] = unit
update(domain_xml.to_s)
end
def set_os_loader(type) def set_os_loader(type)
if is_running? if is_running?
raise "boot settings can only be set for inactive vms" raise "boot settings can only be set for inactive vms"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment